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AMENDMENTS TO THE CLAIMS 



For the convenience of the Examiner, all claims have been presented whether or not 
an amendment has been made. The claims have been amended as follows: 

1. (Currently Amended) , A method of detecting a computer virus that 
attempts to gain acc e ss to restrict e d comput e r syst e m r e sourc e s , comprising: 

emulating computer executable code in a subject file; and 

monitoring the emulation of the computer executable cod e and monitoring detecting 
at least one modification to a memory state of fee a computer system , wherein the at least 
one modification: for modifications 

is caused by the emulat e d instructions in emulation of the computer 
executable code , to d e t e ct an att e mpt by th e e mulated cod e to acc e ss on e or mor e of 
the restricted comput e r syst e m r e sources. ; and 

comprises installation of an exception handler or an interrupt handler. 

2. (Currently Amended) The method of Claim 1 , wherein: 

the at least one modification comprises monitoring th e e mulation includ e s d e t e cting 
installation of an new exception handler ; and 

the emulated computer executable code comprises instructions for follow e d by 
forcing of a corresponding exception. 

3. (Currently Amended) The method of Claim 1 , further comprising: 

wh e r e in monitoring the e mulation includ e s detecting writing of a new pointer to at 
least one predetermined address in a system memory for storing an exception handler pointer. 

4. (Currently Amended) The method of Claim 1 , further comprising: 

wh e r e in monitoring the emulation includ e s detecting installation, in a system 
memory, of a new pointer to an exception handler. 
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5. (Currently Amended) The method of Claim 1 , wherein: 

the at least one modification comprises monitoring th e emulation includ e s detecting 
installation of an a new interrupt handler ; and 

the emulated computer executable code comprises instructions for followed by 
forcing of a corresponding interrupt. 

6. (Currently Amended) The method of Claim 1 , further comprising: 

wherein monitoring the emulation includ e s detecting writing of a new pointer to at 
least one predetermined address in a system memory for storing an interrupt handler pointer. 

7. (Currently Amended) The method of Claim 1, further comprising: 

wherein monitoring the e mulation includ e s detecting use of a predetermined 
instruction to retrieve an address in a system memory corresponding to an interrupt descriptor 
table. 
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8. (Currently Amended) A program storage device readable by a 
machine, tangibly embodying a program of instructions executable by the machine to 
perform method steps for detecting a computer virus that attempts to gain access to restrict e d 
comput e r system resources , the method st e ps comprising: 

emulating computer executable code in a subject file; and 

monitoring th e e mulation of th e computer executable code and monitoring detecting 
at least one modification to a memory state of the a computer system, wherein the at least 
one modification: for modifications 

is caused by the emulat e d instructions in emulation of the computer 
executable code , to det e ct an attempt by th e emulated code to access one or mor e of 
th e r e stricted computer syst e m resources. ; and 

comprises installation of an exception handler or an interrupt handler. 

9. (Currently Amended) A computer system, comprising: 
a processor; and 

a program storage device readable by the a computer system, tangibly embodying a 
program of instructions executable by the processor to perform a method st e ps for detecting a 
computer virus that att e mpts to gain access to restrict e d computer system r e sourc e s , the 
method st e ps comprising: 

emulating computer executable code in a subject file; and 

monitoring th e e mulation of th e computer ex e cutable cod e and monitoring detecting 
at least one modification to a memory state of the a computer system , wherein the at least 
one modification: for modifications 

is caused by the emulation of emulat e d instructions in the computer 
executable code , to detect an attempt by the emulat e d cod e to acc e ss one or mor e of 
th e r e strict e d comput e r syst e m r e sourc e s. ; and 

comprises installation of an exception handler or an interrupt handler. 
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10. (Currently Amended) A computer data signal embodied in a 
transmission medium which embodies a program of instructions executable by a computer for 
detecting a computer virus that att e mpts to gain access to r e stricted computer system 
r e sources , comprising: 

a first segment including comprising emulation code to emulate computer executable 
code in a subject file; and 

a second segment including monitor comprising detector code to monitor emulation 
of th e computer e xecutabl e cod e and monitoring detect at least one modification to a 
memory state of the a computer system , wherein the at least one modification: for 
modifications 

is caused by the emulation of e mulat e d instructions in the computer 
executable code; and 

comprises installation of an exception handler or an interrupt handler a 

third segm e nt including d e t e ctor cod e to d e t e ct an attempt by the emulated code to 
acc e ss on e or mor e of th e r e stricted comput e r syst e m r e sourc e s . 

1 1 . (Currently Amended) An apparatus for detecting computer viruses that 
att e mpt to gain acc e ss to restrict e d computer system resources , comprising: 

an emulator component , wh e r e in the e mulator compon e nt e mulat e s operable to 
emulate computer executable code in a subject file; and 

a monitor detector component , wher e in th e monitor emulation of th e comput e r 
e x e cutabl e cod e and monitoring operable to detect at least one modification to a memory 
state of the a computer system , wherein the at least one modification: for modifications 

is caused by emulation of th e e mulat e d instructions in the computer 
executable code ; — and — suppli e s — information regarding — the — emulat e d — cod e — and 
modification of th e m e mory stat e; and 

comprises installation of an exception handler or an interrupt handler a 
d e t e ctor component, wh e r e in th e d e t e ctor compon e nt, based on th e information 
suppli e d by the monitor component regarding the e mulated code execution and 
modification of m e mory stat e by th e e mulat e d cod e ex e cution, detects an att e mpt by 
th e e mulated cod e to acc e ss on e or mor e of th e r e strict e d comput e r syst e m r e sourc e s . 
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12. (Currently Amended) The apparatus of Claim 11, wherein the monitor 
detector component is further operable to monitor a monitors system memory. 

13. (Currently Amended) The apparatus of Claim 11, wherein the at least 
one modification comprises the det e ctor compon e nt det e cts installation of an a n e w 
exception handler. 

14. (Currently Amended) The apparatus of Claim 13, wherein after th e 
d e t e ctor compon e nt detects installation of a new exception handl e r, the emulated computer 
executable code comprises instructions for d e t e ctor component monitors cod e e xecution to 
d e t e ct forcing ef a corresponding exception. 

15. (Currently Amended) The apparatus of Claim 11, wherein the at least 
one modification comprises detector compon e nt d e t e cts writing of a new pointer to at least 
one predetermined address in a system memory for storing an exception handler pointer. 

16. (Currently Amended) The apparatus of Claim 11, wherein the at least 
one modification comprises det e ctor compon e nt detects installation of an a new interrupt 
handler. 

17. (Currently Amended) The apparatus of Claim 16, wherein the 
emulated computer executable code comprises instructions for aft e r th e d e t e ctor 
compon e nt detects installation of a n e w interrupt handl e r, th e d e tector component monitors 
cod e e x e cution to d e t e ct forcing ef a corresponding interrupt. 

18. (Currently Amended) The apparatus of Claim 1 1, wherein the at least 
one modification comprises detector component d e tects writing of a new pointer to at least 
one predetermined address in a system memory for storing an interrupt handler pointer. 

19. (Currently Amended) The apparatus of Claim 11, wherein the at least 
one modification comprises monitor compon e nt detects use of a predetermined instruction 
to retrieve an address in a system memory corresponding to an interrupt descriptor table. 
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20. (New) The method of Claim 1, wherein the computer system comprises a first 
memory component and a second memory component, and wherein access to the second 
memory component is more restricted than access to the first memory component. 

21. (New) The method of Claim 20, wherein the exception handler or the 
interrupt handler attempts to modify the second memory component. 
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